6 Replies Latest reply on Mar 6, 2017 4:37 PM by alaasemaka

    Adding Fortinet 60D using SNMPv3

    alaasemaka

      Does anybody had an issue with adding Fortinet 60D node using SNMPv3? v3 community is just fine but I'm not able to add it in v3, test fails.

      If anyone knows about it or done it before, would you please share your configurations maybe or some hint on how is it working on your side?.

       

      Thank you.

      Best,

       

      Ala Semaka

        • Re: Adding Fortinet 60D using SNMPv3
          rschroeder

          I've never tried with a Fortinet, but (forgive me for asking the obvious) have you configured the firewall with a rule to allow access via snmp?  If not, it won't matter what snmp version or string is used.

           

          Other firewalls I've managed required creating allowed network source IP addresses, protocols, destination address(es) on the firewall(s), and rules that used those components to allow snmp to poll the firewall.

           

          My personal recommendation:  never use read-write strings.  Read-only is enough for reporting & discovering a node.

            • Re: Adding Fortinet 60D using SNMPv3
              alaasemaka

              Hi Rschroeder,

               

              Thanks a lot for your reply. Yes, I allowed SNMP on my port that I'm using to communicate with SolarWinds machine. This firewall works perfectly in SNMPv2, but not v3, this means that all my policies are in place (I assume), there is just something fishy going on with v3 not sure whose to blame here!!.

               

              Thanx again for your reply.

              Best,

                • Re: Adding Fortinet 60D using SNMPv3
                  rschroeder

                  I've had similar challenges with V3.  Each one was overcome by simplifying the snmp-v3 string and ensuring the rules for the products involved were identical and compatible. 

                   

                  In one case I discovered a product that claimed to support v3, but would only do so when the Authentication password was made the same as the Privacy/Encryption password.  That sort of bypasses the effectiveness and complexity of the protection by using the same credential twice.

                   

                  Could it be that your solution requires some simplifying?  Perhaps try the shortest and simplest snmp-v3 password possible on the Fortinet, and manually key it in there, as well as manually keying it into NPM.

                   

                  Wouldn't it be nice if diagnostics on products and their monitoring solutions--which require identical credentials for secure communication--offered better information about why a particular communication failed?  If a person could know they had a typo in one of those devices' strings--maybe even something as simple as an extra space at the end (a la Windows Copy & Paste)--it would sure save some frustration.